Findings from the “2015 PwC US State of Cybercrime Survey” revealed that only 26 percent of those surveyed feel they have the expertise to address the cyber risks associated with the implementation of new technologies. This means that 74 percent of organizations — essentially three-quarters — don’t have the cybersecurity talent they need.
This is the known quantity of the security talent gap. The unknown quantity is its solution. Why? Because the scope of the challenge is broad and growing as more and more organizations and agencies move towards the digitization of their networks, adopt more interactive applications, and move services online. It also requires an expanding range of skill sets that are known, but given the rate of change, also unknown.
This is a significant challenge for the public sector. At one time the public sector was able to lure qualified candidates for a variety of positions, not just in the cybersecurity arena, but in many other areas of expertise, including law, medicine, science, engineering, etc., with the promise of stability and impressive benefit packages.
This is not the case today. Nor is this just a public sector challenge. Private companies are also feeling the talent shortfall. However, they possess allurements such as stock options and larger paychecks unavailable to the public sector to hire the expertise they need.
The government is not without its incentives, though; it can attract security talent by focusing on purpose, control, influence, and challenges. Its market is always broader, with more interdisciplinary opportunities and applications, and its societal influence is longer-lasting. Many people derive greater satisfaction and fulfillment from a public career than from one in private industry.
There is always, however, the need for the government package to meet certain fundamental material aspirations and requirements of employees. The challenge is to balance fiscal requirements with the other factors discussed.
However, challenges exist beyond those related to attractive incentives. The most significant cybersecurity challenge is the unknown. Former Secretary of Defense Donald Rumsfeld perhaps gave the best explanation of this during a news briefing 14 years ago:
“There are known knowns. These are the things that we know. There are known unknowns. That is to say, there are things that we know we don’t know. But there are also unknown unknowns. These are things we don’t know we don’t know.”
This pretty much sums up the cybersecurity challenge. Attack methods and breaching techniques are constantly evolving. Which means that finding the elusive talent to overcome present challenges is only part of the solution. Sure, we know the tried and true breach methods. But what about the attacks we don’t yet know? If the method is unknown, then so is the required response. The talent shortfall, therefore, is about much more than just a limited technical pool. The NSA recently summed up the cybersecurity technology requirement as integration, synchronization, and automation – functionality that most networks, public sector or not, currently lack.
How We Got Here
How did we arrive at this place of having both a technology and talent shortfall?
During the 1960s there was a push to interconnect computer systems. Even then there were experts raising concerns about security and data protection. However, these concerns were disregarded in order to focus on connectivity. This same focus continues today. Ease of connectivity first, security later.
The reality, though, is that the two are intertwined. Connectivity and security must be coordinated together and be able to scale equally and simultneously. Data without protection is unreliable and dangerous, and security without data is an empty bank vault, impressive but with neither function nor purpose. The balancing of this yin and yang is the ultimate goal.
Cybersecurity came to the forefront initially because of the risks related to increasing connectivity. But today it has taken on greater importance. Its new prioritization is critical because we continue to encounter the dangerous unknowns of cybersecurity. To avoid history repeating itself, a cultural shift towards integrated security needs to be embraced, because defective, altered, manipulated, compromised, or breached data nullifies the benefits of connectivity.
This will, of course, require a growing security talent pool and a broader definition of the talents required for that pool. Fortunately, government agencies are working to develop that talent through organizations such as the National Initiative for Cybersecurity Education, but much work remains to be done.
The Critical Human Factor
When we take a good look at the needs of government, there is not a single agency that does not need a more robust cybersecurity workforce. Many government agencies are responsible for a variety of interconnected systems, valuable data, and critical infrastructures.
While homeland security will always be the greatest risk when it pertains to government, the risk cybersecurity poses extends far beyond the borders of government — from roadways and transportation systems, to energy and water, to manufacturing and financial systems. The incapacitation or destruction of any of these critical homeland infrastructures would have a debilitating effect on security, public safety, and the economy. Technology alone can’t protect these systems. To fully protect these critical infrastructures, we need skilled cybersecurity professionals who can plan for and protect them against both known and unknown threats.
The cybersecurity skills gap is real, but it is an issue not only of bodies, but also of minds. That is, the problem is too important to merely fill vacant positions with warm bodies. Security professionals need specific skill sets to truly be effective. Here are four key areas those entering the cybersecurity field should have in their knowledge toolbox:
Citizens rely heavily on critical infrastructure and other connected government services. Bridging the cybersecurity talent gap must be an essential priority for government agencies. This is easier said than done, but it is not impossible. It will require educating, building, and reinforcing our cybersecurity talent pool and workforce through expanding their knowledge toolbox in the four ways listed above, including constant education and retraining.
Creating programs and public/private partnerships to actively recruit more individuals into the cybersecurity field is another key tactic. There is a ready talent pool in our universities, and transitioning out of the armed forces, with the capacity and mindset that makes them ideal cybersecurity candidates. Acting now to identify and prepare these individuals will enable the government to create and grow the workforce needed to safeguard the nation’s assets and its citizens from the known and unknown threats that lie ahead.
By Steve Kirk, vice president of federal at Fortinet.
*Originally published by NextGov on October 27, 2016.